GitHub Actions + Jenkins Security Integration

The Reality: You're Probably Here Because Migration Failed

Look, you're probably stuck with Jenkins because ops built everything around it in 2016 and nobody wants to touch that infrastructure. Meanwhile, security discovered GitHub Actions can do vulnerability scanning without setting up another SonarQube server that crashes every Tuesday.

So you end up with this hybrid monster: GitHub Actions does the security theater scanning that makes compliance happy, and Jenkins handles the actual deployment pipeline that somehow still works despite running on Java 8.

The typical pattern is GitHub webhooks trigger Jenkins builds, which then maybe trigger more GitHub Actions, creating a delightful debug nightmare when something breaks at 2 AM. But it works 80% of the time, and that's better than the previous system that worked 60% of the time.

Why This Actually Works (Sometimes)

Security Coverage That Doesn't Suck: GitHub Actions CodeQL runs fast and catches actual vulnerabilities, unlike that abandoned SonarQube instance that flags every eval() as critical. Secret scanning prevents your developers from committing AWS keys to public repos (again). Jenkins handles the heavy lifting with tools like OWASP ZAP, which takes 3 hours to scan a simple React app but finds XSS vulnerabilities your manual testing missed.

Fast Feedback vs. Compliance Bullshit: GitHub Actions gives developers immediate feedback on pull requests before the security team can complain. Jenkins runs the scans that take forever but satisfy audit requirements. Developers get unblocked quickly, security gets their reports, everyone pretends the system works perfectly.

Political Reality: Your ops team has 5 years of Jenkins expertise and Groovy pipelines they barely understand. Security wants modern tooling that actually works. GitHub Actions lets you adopt decent security scanning without starting a infrastructure war or migrating 200 deployment pipelines that sort of work.

Where The Scans Actually Happen

Pull Request Level: GitHub Actions runs CodeQL and Dependabot on every PR because it's free and fast. Dependabot creates approximately 47 dependency update PRs per week that your team ignores until a critical vulnerability forces you to upgrade React from version 16. Secret scanning catches the database passwords your contractors keep committing.

Jenkins Heavy Artillery: Once code gets past PR review, Jenkins unleashes the full security circus. SonarQube runs for 20 minutes analyzing code complexity metrics nobody understands. OWASP ZAP launches a browser, clicks every button, and declares your login form vulnerable to SQL injection (it's not). Trivy scans container images and panics about Alpine Linux CVEs from 2019 that don't actually matter.

Deployment Reality Check: OIDC authentication works great until AWS changes their API again. Artifact signing happens when someone remembers to configure GPG keys. Continuous monitoring means Datadog alerts you 30 seconds after production explodes, which is still faster than your users posting angry tweets.

GitHub Actions Security Setup

First, you'll configure GitHub Actions to do the basic security scanning that should have been enabled from day one. This runs on every PR so developers get immediate feedback before your security team can schedule a 3-hour meeting to discuss the findings.

Basic Security Workflow Structure:

Set up your GitHub Actions workflow for security scanning:

name: Security Validation Pipeline
on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
    inputs:
      scan_depth:
        description: 'Security scan depth'
        required: false
        default: 'standard'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    timeout-minutes: 45  # CodeQL times out on large repos, increase or developers riot
    steps:
      - uses: actions/checkout@v4
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        # Sometimes fails with \"runner offline\" every Tuesday, retry helps
        continue-on-error: true
      - name: Security Analysis
        uses: github/codeql-action/analyze@v3
      - name: Dependency Scan
        uses: github/dependency-check-action@main
        # This action randomly breaks when NIST updates their CVE database

This runs on every PR, which sounds great until CodeQL takes 45 minutes to analyze your monolithic Next.js app and developers start bypassing the branch protection rules. The workflow_dispatch is for when you need to manually debug why the scanner thinks your TypeScript types are SQL injection vulnerabilities.

Jenkins Pipeline Integration (The Part That Breaks Everything)

Jenkins handles the heavy security scanning because your ops team insists it's "enterprise-grade" and because migrating 200 deployment pipelines isn't happening before the heat death of the universe. GitHub webhooks trigger Jenkins builds, which works great until the webhook randomly fails and nobody notices for 3 days.

Jenkins Pipeline Configuration Pattern:

pipeline {
    agent any
    parameters {
        string(name: 'GITHUB_SHA', description: 'GitHub commit SHA')
        string(name: 'GITHUB_REF', description: 'GitHub branch reference')
    }
    stages {
        stage('Security Validation') {
            parallel {
                stage('SAST Scanning') {
                    steps {
                        // SonarQube randomly runs out of heap memory, hence the retry
                        retry(3) {
                            sh 'sonar-scanner -Dsonar.projectKey=${JOB_NAME} -Xmx4g'
                        }
                    }
                }
                stage('Container Security') {
                    steps {
                        // Trivy takes forever, run in parallel or developers will revolt
                        sh 'trivy image --timeout 10m --format json ${DOCKER_IMAGE}'
                    }
                }
                stage('Infrastructure Security') {
                    steps {
                        // Checkov flags every AWS resource as a security risk
                        sh 'checkov -d . --framework terraform --skip-check CKV_AWS_*'
                    }
                }
            }
        }
        stage('Security Gate') {
            steps {
                script {
                    // Only fail on HIGH/CRITICAL, or nothing ever deploys
                    if (currentBuild.result == 'UNSTABLE') {
                        error(\"Actual security vulnerabilities detected (not the usual false positives)\")
                    }
                }
            }
        }
    }
}

Authentication Nightmare (aka "Secure Communication")

OIDC Integration: OIDC tokens work great for AWS until Amazon changes their token validation logic and breaks your deployment pipeline for 6 hours. GitHub's OIDC setup is straightforward, but debugging token expiration errors at 3 AM while production is down isn't fun.

Webhook Security: GitHub webhook signatures prevent replay attacks, assuming you remember to validate them. Jenkins should verify webhook payloads, but most teams skip this until someone malicious triggers a deployment to production. Configure webhook secrets and pray you never have to debug why Jenkins keeps getting invalid signature errors.

Credential Hell: GitHub encrypted secrets work fine until you need to rotate API keys across 47 repositories. Jenkins credential management is "secure" in the sense that nobody can remember how to update them. The person who originally configured the AWS credentials left the company 2 years ago and didn't document which IAM role does what.

Making The Security Tools Actually Work

Why The Same Bug Gets Reported 5 Different Ways: GitHub Actions runs CodeQL fast because it only analyzes what changed. Jenkins runs everything because ops doesn't trust incremental analysis. This creates a delightful situation where the same vulnerability gets reported 3 different ways by 3 different tools, each with different severity ratings.

Results Aggregation (Good Luck): DefectDojo looks great in demos until you try to configure it. AWS Security Hub costs $3 per finding per month and flags every outdated JavaScript dependency as critical. Most teams end up with spreadsheets because the security findings management tools are worse than the problems they're solving.

Quality Gates That Don't Block Everything: Set security gates too strict and nothing deploys. Set them too loose and the auditors complain. The sweet spot is blocking actual critical vulnerabilities while ignoring the 847 "medium" findings about using HTTP instead of HTTPS for internal service health checks that only work over HTTP anyway.